Security / Cybersecurity

1
Security / Cybersecurity
DOCUMENT GSC13-GTSC6-05
FOR Presentation
SOURCE ITU
AGENDA ITEM GTSC, 4.2
CONTACT(S) Herbert Bertine

• ITU
• Herbert Bertine, Chairman ITU-T Study Group 17

Submission DateJuly 1, 2008
2
Strategic Direction

• Cybersecurity one of the top priorities of the
  ITU
• Plenipotentiary Resolution 140 (2006), ITUs role
  in implementing the outcomes of the World Summit
  on the Information Society The important
  moderator/facilitator role of ITU in action line
  C5 (building confidence and security in the use
  of ICTs).
• Plenipotentiary Resolution 149 (2006), Study of
  definitions and terminology relating to building
  confidence and security in the use of information
  and communication technologies
• WTSA-04 Resolution 50, Cybersecurity Instructs
  the Director of TSB to develop a plan to
  undertake evaluations of ITU-T existing and
  evolving Recommendations, and especially
  signalling and communications protocol
  Recommendations with respect to their robustness
  of design and potential for exploitation by
  malicious parties to interfere destructively with
  their deployment
• WTSA-04 Resolution 51, Combating spam Instructs
  the Director of TSB to prepare urgently a report
  to the Council on relevant ITU and other
  international initiatives for countering spam,
  and to propose possible follow-up actions - Done
• WTSA-04 Resolution 52, Countering spam by
  technical means Instructs relevant study groups
  to develop, as a matter of urgency, technical
  Recommendations, including required definitions,
  on countering spam

3
Highlights of current activities (1)

• ITU Global Cybersecurity Agenda (GCA)
• A Framework for international cooperation in
  cybersecurity
• ITU response to its role as sole Facilitator for
  WSIS Action Line C5
• Five key work areas Legal, Technical,
  Organisational, Capacity Building, International
  Cooperation
• World renowned Group of High-Level Experts (HLEG)
  working on global strategies
• GCA/HLEG met 26 June 2008 to agree upon a set of
  recommendations on all five work areas for
  presentation to ITU Secretary-General
• ISO/IEC/ITU-T Strategic Advisory Group on
  Security
• Coordinates security work and identifies areas
  where new standardization initiatives may be
  warranted. Portal established. Workshops
  conducted.
• Identity Management
• Effort jump started by IdM Focus Group which
  produced 6 substantial reports (265 pages) in 9
  months
• JCA IdM and IDM-GSI established main work is
  in SGs 17 and 13
• First IdM Recommendation X.1250, Requirements
  for global identity management trust and
  interoperability - now in approval process

4
Highlights of current activities (2)

• Core security (SG 17)
• Approved 14 texts in 2007, 17 so far in 2008, 15
  more for action in September 2008
• Summaries of Recommendations under development
  are available at http//www.itu.int/dms_pub/itu-t
  /oth/0A/0D/T0A0D00000D0003MSWE.doc
• Covering frameworks, cybersecurity, countering
  spam, home networks, mobile, web services, secure
  applications, ISMS, telebiometrics, etc.
• Work underway on additional topics including
  IPTV, multicast, and USN security risk
  management and incident management traceback
• Questionnaire issued to developing countries to
  ascertain their security needs
• Updated security roadmap/database, compendia,
  manual strengthened coordination
• Security for NGN
• Y.2701, Security Requirements for NGN Release 1 -
  published
• Y.2702, NGN authentication and authorization
  requirements determined

5
Challenges

• Addressing security to enhance trust and
  confidence of users in networks, applications and
  services
• With global cyberspace, what are the security
  priorities for the ITU with its government /
  private sector partnership?
• Need for top-down strategic direction to
  complement bottom-up, contribution-driven process
• Balance between centralized and distributed
  efforts on security standards
• Legal and regulatory aspects of cybersecurity,
  spam, identity/privacy
• Address full cycle vulnerabilities, threats and
  risk analysis prevention detection response
  and mitigation forensics learning
• Agree uniform definitions of cybersecurity terms
  and definitions
• Marketplace acceptance of Information Security
  Management System (ISMS) standards (ISO/IEC
  27000-series and ITU-T X.1051) the security
  equivalent to ISO 9000-series
• Effective cooperation and collaboration across
  the many bodies doing cybersecurity work
• PSO help is needed in keeping security database
  up-to-date
• Informal security experts network needs
  commitment
• There is no silver bullet for cybersecurity

6
Next Steps/Actions for ITU-T

• All Study Groups have proposed Questions for next
  study period
• Most study groups have Questions concerning
  security
• Questions are mainly evolution of existing work
  program
• See Supplemental Information
• The World Telecommunication Standardization
  Assembly (WTSA) in October 2008 will make
  decisions on the priorities, work program
  (Questions) and organization of Study Groups,
  including security / cybersecurity work
• Meanwhile, the present work program continues
  under the current structure See Supplemental
  Information
• E.g., Study Groups 17 and 13 will each meet in
  September to approve additional security
  Recommendations
• A new edition of the ITU-T Security Manual is
  scheduled for October 2008

7
Proposed revision to Resolution

• Resolution GSC-12/19, Cybersecurity
• Add a new Resolves follows
• 5) supply updated information on their
  security standards work for inclusion in the ICT
  Security Standards Roadmap, a database of
  security standards hosted by the ITU-T
  athttp//www.itu.int/ITU-T/studygroups/com17/ict
  /index.html

8
Supplemental Information

• Supplemental Information
• Security activities
• ITU General Secretariat
• Telecommunication Standardization Sector (ITU-T)
• Radiocommunication Sector (ITU-R)
• Telecommunication Development Sector (ITU-D)
• Useful web resources

9
Supplemental Information

• ITU
• General Secretariat
• Corporate Strategy Division

10
A Framework for International Cooperation in
Cybersecurity
11
Issues and Challenges

• Constant evolution of the nature of cyberthreats

12
WSIS and Cybersecurity
Confidence and security are among the main
pillars of the information society
Strengthening the trust framework, including
information security and network security,
authentication, privacy and consumer protection,
is a prerequisite for the development of the
Information Society and for building confidence
among users of ICTs. WSIS Geneva Declaration
of Principles, Para 35 We reaffirm the
necessity to further promote, develop and
implement in cooperation with all stakeholders a
global culture of cyber-security, as outlined in
UNGA Resolution 57/239 and other relevant
regional frameworks. WSIS Tunis Agenda, Para 39
13
ITUs Role as WSIS C5 FACILITATOR
At the World Summit on the Information Society
(WSIS), world leaders and governments entrusted
ITU to take the leading role in coordinating
international efforts on cyber-security, as the
sole Facilitator of Action Line C5, Building
confidence and security in the use of ICTs The
International Telecommunication Union (ITU)
provides the global perspective and expertise
needed to meet the challenges, with a track
record of brokering agreements between public
and private interests on a level playing field
ever since its inception in 1865.
Third Facilitation Meeting 22-23 May
2008, ITU Headquarters, Geneva http//www.itu.int
/osg/csd/cybersecurity/WSIS/3rdMeeting.html
14
A Global Strategy for Action
The strategy for a solution must identify those
existing national, regional and international
initiatives, work with all relevant players to
identify priorities and bring partners together
with the goal of proposing global solutions to
address the global challenges we face today.
ITU Global Cybersecurity Agenda (GCA)

• A framework for international multi-stakeholder
  cooperation in cybersecurity
• ITU Response to its role as sole Facilitator for
  WSIS Action Line C5
• World renowned Group of High Level Experts
  (HLEG) to develop global strategies
• Representing main stakeholder groups working
  towards the same goals
• Developing harmonized global strategies

15
GCA Work Areas
GCA rests on five pillars or work areas
Legal Measures Technical and Procedural
Measures Organizational Structures Capacity
Building International Cooperation
16
High-Level Experts Group (GCA/HLEG)
Elaboration of global strategies for 1 the
development of a model cybercrime legislation 2
the creation of appropriate national and regional
organizational structures and policies on
cybercrime 3 the establishment of security
criteria and accreditation schemes for software
applications and systems 4 the creation of a
global framework for watch, warning and incident
response 5 the creation and endorsement of a
generic and universal digital identity system 6
the facilitation of human and institutional
capacity-building 7 international cooperation,
dialogue and coordination
17
GCA/HLEG Members
Argentina Brazil Cameroon Canada China
Egypt Estonia Germany Japan India
Indonesia Italy Malaysia Morocco
Portugal Republic of Lithuania Russian
Federation Saudi Arabia South Africa
Switzerland United States
Diversity of Participation

• Ecole Polytechnique Fédérale de Lausanne
• (EPFL), Switzerland
• Information Security Institute, Australia
• Moscow Technical University of
• Communications, Russian Federation
• African Telecommunication Union (ATU)
• Asia Pacific Economic Cooperation
• Telecommunications (APECTEL)
• Commonwealth Telecommunications
• Organisations (CTO)
• Council of Europe
• Department of Economic and
• Social Affairs (DESA)
• European Information and Network
• Security Agency (ENISA)
• International Criminal Police
• Organization (Interpol)
• Organisation for Economic Co-operation
• and Development (OECD)

• Authentrus
• BITEK International Inc.
• Cybex
• Cisco
• Garlik
• Intel Corporation
• Microsoft Corporation
• Télam S.E.
• VeriSign, Inc.
• Stein Schjolberg, Chief Judge,
• Moss Tingrett Court, Norway
• Solange Ghernaouti-Helie,
• HEC-Université de Lausanne, Switzerland
• Sy Goodman, Georgia Institute of Technology,
• United States
• Nabil Kisrawi, Chairman of WG-Def,
• Syrian Republic
• Bruce Schneier, Security Technologist,
• Unites States

18
GCA/HLEG
Leveraging expertise for international consensus
On a Global level, from government, international
organizations to industry For a Harmonised
approach to build synergies between
initiatives Through Comprehensive strategies on
all levels
GCA/HLEG is building synergies with existing
initiatives and working with stakeholders in
these five key areas
Legal Measures e.g. Cybercrime legislation
(Council of Europe), Moss Tingrett Court Norway,
Cybex Technical and Procedural Measures e.g.
Software (Microsoft) , hardware (Intel),
Networking (CISCO), Security Apps/Services
(Verisign), Global Standards and Development
(ITU) Organisational Structures e.g. Ecole
Polytechnique Fédérale de Lausanne (EPFL), Forum
of Incident Response and Security Teams, OECD
Capacity Building e.g. United Nations
Institution for Training and Research (UNITAR),
European Network and Information Security Agency
(ENISA) International Cooperation e.g. Interpol,
United Nations Office on Drug and Crime (UNODC)
19
HLEG

• The HLEG work is an ongoing dynamic process with
  information-sharing and interaction relating to
  the elaboration of Global Strategies to meet the
  goals of the GCA and the ITU role as sole
  facilitator for WSIS Action Line C.5.
• Three meetings held
• First Meeting of the HLEG held on 5 October 2007
• Second Meeting of the HLEG held on 21 May 2008
• Third Meeting of the HLEG held on 26 June 2008
• Chairman's Report
• The results of the work of the HLEG, including
  recommendations, the views expressed during the
  meeting and additional information about the
  previous work of the HLEG are contained in the
  Chairmans report which will be available at
  http//www.itu.int/osg/csd/cybersecurity/gca/hleg/
  meetings/third/index.html

20
GCA Sponsorship Programme Join us!

• This Sponsorship programme will ensure that all
  relevant stakeholders are aware of HLEGs
  valuable work, will increase also a global
  understanding about how to work together to
  implement effective strategies. It will then be
  up to the stakeholders themselves within their
  respective mandates and capabilities to
  translate these strategies into concrete actions.
• GCA Sponsors will help to promote the goals of
  this initiative around the world by participating
  in high-profile business activities including
  publications, pubic campaigns, an annual
  conference and other events. In addition to the
  opportunity to meet with high-level decision
  makers, Sponsors also stand to enhance their
  image and credibility with their stakeholders.

21
"The world must take action. It must stand
united. This is not a problem any one nation
can solve alone"
Dr Óscar Arias Sánchez Nobel Peace
Laureate, President of the Republic of Costa
Rica, Patron of the Global Cybersecurity
Agenda.
22
Conclusions
Towards a global Cyberpeace
The threats to global cybersecurity demand a
global framework!
The magnitude of this issue calls for a
coordinated global response to ensure that there
are no safe havens for cybercriminals. ITU will
act as a catalyst and facilitator for these
partners to share experience and best practice,
so as to step up efforts for a global response to
cybercrime. In this way, working together, we
can create a cyberspace that is somewhere safe
for people to trade, learn and enjoy. Dr
Hamadoun I. Touré Secretary-General, ITU
23
For More information on
ITU Global Cybersecurity Agenda ITU
Activities in Cybersecurity http//www.itu.int/
cybersecurity/ Email gca_at_itu.int
24
Supplemental Information

• ITU-TTelecommunication StandardizationSector

25
ITU-T
ITU-T Security and Cybersecurity Activities

• SG 17, Security, Languages and Telecommunication
  Software
• Lead Study Group on Telecommunication Security
• SG 2, Operational Aspects of Service Provision,
  Networks and Performance
• SG 4, Telecommunication Management
• SG 5, Protection Against Electromagnetic
  Environment Effects
• SG 9, Integrated Broadband Cable Networks and
  Television and Sound Transmission
• SG 11, Signalling Requirements and Protocols
• SG 13, Next Generation Networks
• SG 15, Optical and Other Transport Network
  Infrastructures
• SG 16, Multimedia Terminals, Systems and
  Applications
• SG 19, Mobile Telecommunication Networks

26
ITU-T SG 17

• ITU-T Study Group 17Security, Languages and
  Telecommunication Software
• Q.4/17, Communications Systems Security Project
• Q.5/17, Security Architecture and Framework
• Q.6/17, Cyber Security
• Q.7/17, Security Management
• Q.8/17, Telebiometrics
• Q.9/17, Secure Communication Services
• Q.17/17, Countering Spam by Technical Means
• Q.2/17, Directory Services, Directory Systems
  andPublic-key/Attribute Certificates

27
SG 17 Q.4/17 Communications SystemsSecurity
Project

• ITU-T SG 17 Question 4
• Communications Systems Security Project
• Overall Security Coordination and Vision
• Outreach and promotional activities
• ICT Security Standards Roadmap
• Security Compendium
• ITU-T Security manual
• Focus Group on Security Baseline For Network
  Operators

28
SG 17 Q.4/17 results achieved

• Successful workshop organized at start of Study
  Period to consider future direction of security
  standards
• Security Standards Roadmap developed includes
  security standards from ITU, ISO/IEC, IEEE, IETF,
  ATIS, ETSI, OASIS, 3GPP
• Security Compendium and Security Manual
  maintained and updated
• Security Baseline for Network Operators developed

29
SG 17 Q.4/17 challenges

• Overall shortage of participants and contributors
• Roadmap issues/challenges
• Taxonomy (always a challenge!)
• Finding out about new standards and when to post
  them
• Appearance of the database
• Need to develop a short guide to the update
  process

30
SG 17 Q.4/17 progress since GSC-12

• Security Roadmap
• The listing of standards has been converted to a
  searchable database
• Further updating is planned to ease navigation
• A new section (Part 5) has been added on
  (non-proprietary) Best Practices

31
SG 17 Q.4/17 focus for next study period

• Will continue to be primary SG contact for
  security coordination issues
• Will maintain and update outreach material
• Security Manual
• Security Roadmap
• Security Compendium
• Responsibilities will be limited to coordination
  and outreach no Recommendations

32
SG 17 Q.5/17 Security Architecture and
Framework

• ITU-T SG 17 Question 5
• Security architecture and framework
• Scope
• Strategic direction
• Challenges
• Major activities and accomplishments
• Actions for the next study period

33
SG 17 Q.5/17 scope

X.1036
X.1034, X.1035
X.1031
Supplement to X.800-X.849, Guidelines for
implementing system and network security
Recommendation X.805 has been a foundation of
Q.5/17 security studies and shaped the scope of
its work
34
SG 17 Q.5/17 scope (continued)

• Q.5/17 has developed Recommendations that further
  develop the concepts of X.805 and provide
  guidance on their implementation
• X.1031, Security architecture aspects of end
  users and networks in telecommunications -
  provides guidance on applying the concepts of the
  X.805 architecture for distributing the security
  controls between the telecommunication networks
  and the end users equipment.
• X.1034, Guidelines on Extensible Authentication
  Protocol based Authentication and Key Management
  in a Data Communication Network and X.1035,
  Password-Authenticated Key Exchange Protocol
  (PAK) - specify protocols and procedures that
  support functions of the Authentication security
  dimension.
• X.1036, Framework for creation, storage,
  distribution and enforcement of policies for
  network security further develops the concept of
  the security policy described in X.805.
• Supplement to X.800-X.849, Guidelines for
  implementing system and network security provides
  guidelines for implementing system and network
  security utilizing the concepts of X.805 and
  other security Recommendations and standards.

35
SG 17 Q.5/17 strategic direction

• Development of a comprehensive set of
  Recommendations for providing standard security
  solutions for telecommunications in collaboration
  with other Standards Development Organizations
  and ITU-T Study Groups.
• Studies and development of a trusted
  telecommunication network architecture that
  integrates advanced security technologies.
• Maintenance and enhancements of Recommendations
  in the X.800-series and X.103x-series.
• Coordination of studies on NGN security (with
  Question 15/13)

36
SG 17 Q.5/17 challenges

• Authentication and key agreement is one of the
  most complex and challenging security procedures.
  Question 5/17 has developed Recommendations that
  contribute to the standards solutions for
  authentication and key management
• X.1034, Guidelines on Extensible Authentication
  Protocol based Authentication and Key Management
  in a Data Communication Network
• Establishes a framework for the EAP-based
  authentication and key management for securing
  the link layer in an end-to-end data
  communication network.
• Provides guidance on selection of the EAP
  methods.
• X.1035, Password-Authenticated Key Exchange
  Protocol (PAK)
• Specifies a protocol, which ensures mutual
  authentication of both parties in the act of
  establishing a symmetric cryptographic key via
  Diffie-Hellman exchange.

37
SG 17 Q.5/17 major accomplishments

• Recommendations developed by Q.5/17
• X.1031, Security architecture aspects of end
  users and networks in telecommunications
• X.1034, Guidelines on Extensible Authentication
  Protocol based Authentication and Key Management
  in a Data Communication Network
• X.1035, Password-Authenticated Key Exchange
  Protocol (PAK)
• X.1036, Framework for creation, storage,
  distribution and enforcement of policies for
  network security
• A Supplement developed by Q.5/17
• Supplement to X.800 - X.849 series Guidelines for
  implementing system and network security
• Other technical documents prepared by Q.5/17
• In response to the WTSA Resolution 50, Question
  5/17 has prepared Guidelines for designing secure
  protocols using ITU-T Recommendation X.805.
• Major coordination activity conducted by Q.5/17
• Question 5/17 has coordinated security studies
  with Question 15 of SG 13, NGN Security ensuring
  alignment of the standards work in both groups.

38
SG 17 Q.5/17 actions for next study period

• How should a comprehensive, coherent
  communications security solution be defined?
• What is the architecture for a comprehensive,
  coherent communications security solution?
• What is the framework for applying the security
  architecture in order to establish a new security
  solution?
• What is the framework for applying security
  architecture in order to assess (and consequently
  improve) an existing security solution?
• What are the architectural underpinnings for
  security?
• What new Recommendations may be required for
  providing security solutions in the changing
  environment?
• How should architectural standards be structured
  with respect to existing Recommendations on
  security?
• How should architectural standards be structured
  with respect to the existing advanced security
  technologies?
• How should the security framework Recommendations
  be modified to adapt them to emerging
  technologies and what new framework
  Recommendations may be required?
• How are security services applied to provide
  security solutions?

39
SG 17 Q.6/17 Cyber Security

• ITU-T SG 17 Question 6
• Cyber Security
• Motivation
• Scope
• Challenges
• Highlights of activities
• Actions for Next Study Period
• Collaboration with SDOs

40
SG 17 Q.6/17 motivation

• Network connectivity and ubiquitous access is
  central to todays IT systems
• Wide spread access and loose coupling of
  interconnected IT systems and applications is a
  primary source of widespread vulnerability
• Threats such as denial of service, theft of
  financial and personal data, network failures and
  disruption of voice and data telecommunications
  are on the rise
• Network protocols in use today were developed in
  an environment of trust
• Most new investments and development is dedicated
  to building new functionality and not on securing
  that functionality
• An understanding of cybersecurity is needed in
  order to build a foundation of knowledge that
  can aid in securing the networks of tomorrow

41
SG 17 Q.6/17 scope

• Definition of Cybersecurity
• Security of Telecommunications Network
  Infrastructure
• Security Knowledge and Awareness of Telecom
  Personnel and Users
• Security Requirements for Design of New
  Communications Protocol and Systems
• Communications relating to Cybersecurity
• Security Processes Life-cycle Processes
  relating to Incident and Vulnerability
• Security of Identity in Telecommunication Network
• Legal/Policy Considerations
• IP traceback technologies
• Authentication Assurance

42
SG 17 Q.6/17 challenges

• How should the current Recommendations be further
  enhanced for their wide deployment and usage?
• How to harmonize common IdM data models across
  the ITU
• How to define and use the term Identity within
  the ITU
• How to detect and predict future threats and
  risks to networks
• How to harmonize various IdM solutions
• What are the best strategies to improve
  Cybersecurity
• How to maintain a living list of IdM terms and
  definition and use it informally across the ITU

43
SG 17 Q.6/17 highlights of activities
Completed Recommendations
No. Title
X.1205 Overview of Cybersecurity
X.1206 A vendor-neutral framework for automatic checking of the presence of vulnerabilities information update
X.1207 Guidelines for Internet Service Providers and End-users for Addressing the Risk of Spyware and Deceptive Software
X.1250 Requirements for global identity management trust and interoperability
X.1303 Common Alerting Protocol (CAP 1.1)
Currently in the approval process
44
SG 17 Q.6/17 highlights of activities (2)
Recommendations under development ITU-T X.eaa
ISO/IEC xxxx, Information technology Security
techniques Entity authentication assurance This
Recommendation International Standard provides
a framework for entity authentication assurance
which is the quantification of the risks that an
entity is who or what he/she/it claims to be. In
other words, entity authentication assurance is a
measure of the confidence or risks associated
with the authentication process and
mechanisms. ITU-T X.gopw, Guideline on
preventing worm spreading in a data communication
network This Recommendation describes worm and
other malicious codes spreading patterns and
scenarios in a data communication network. The
Recommendation provides guidelines for protecting
users and networks from such malicious codes.
45
SG 17 Q.6/17 highlights of activities (3)
Recommendations under development ITU-T X.idif,
User Control enhanced digital identity
interchange framework This Recommendation defines
a framework that covers how global interoperable
digital identity interchange can be achieved and
how an entitys privacy is enhanced by providing
an entity more control over the process of
identity interchange. In addition, the
Recommendation defines the general and functional
requirements of the framework that should be
satisfied. Based on the requirements, a framework
is defined with basic functional building blocks
for identity interchange and enhancing entity
control. ITU-T X.idm-dm, Common identity data
model This Recommendation develops a common data
model for identity data that can be used to
express identity related information among IdM
systems.
46
SG 17 Q.6/17 actions for next study period

• Enhance current Recommendations to accelerate
  their adoption
• Work with SG 2 in Trusted Service Provider
  Identifier (TSPID)
• Collaborate with Questions 5, 7, 9, 17/17 and
  with SG 2 in order to achieve better
  understanding of various aspects of network
  security
• Collaborate with IETF, OASIS, ISO/IEC JTC1,
  Liberty Alliance and other standardization bodies
  on Cybersecurity
• Work with OASIS on maintaining the OASIS Common
  Alerting Protocol V1.1 (ITU-T Recommendation
  X.1303)
• Study new Cybersecurity issues How should ISPs
  deal with botnets, evaluating the output of
  appropriate bodies when available.
• Study technical aspects of Traceback techniques
• Joint work is ISO/JTC1 SC 27 on Entity
  Authentication Assurance
• Progress work with Liberty Alliance on Identity
  Authntication Frameworks
• Working with SG 4 and SG 13 on common IdM Data
  Models.
• Developing frameworks for User control enhanced
  digital identity interchange framework
• Developing guideline on protection for personally
  identifiable information in RFID application
• Developing requirements for security information
  sharing framework
• Developing guideline on preventing worm spreading
  in a data communication network
• Maintaining the IdM Lexicon document

47
SG 17 Q.6/17 collaboration with other SDOs

• ISO/IEC JTC 1/SC 27
• IEC/TC 25
• IETF
• IEEE
• Liberty Alliance
• OASIS
• W3C
• 3GPP
• ETSI/TISPAN

48
SG 17 Q.7/17 Security management

• ITU-T SG 17 Question 7
• Security management
• Scope
• Challenges
• Highlights of activities
• Actions for Next Study Period
• Collaboration with SDOs

49
SG 17 Q.7/17 scope
For telecommunications organizations, information
and the supporting processes, facilities,
networks and communications medias are all
important business assets. In order for
telecommunications organizations to appropriately
manage these business assets and to correctly
continue the business activity, Information
Security Management is extremely necessary. The
scope of this question is to provide GUIDELINES
and BASELINES of Information Security Management
to be appropriately applied for
telecommunications organizations. Studies related
on this issue can be a little bit extended to
cover the following items - information
security management guidelines (baseline) -
information incident management guidelines -
risk management and risk profiles guidelines -
assets management guidelines - policy
management guidelines - information security
governance - etc.
50
SG 17 Q.7/17 strategic directions
51
SG 17 Q.7/17 challenges

• How should information assets in
  telecommunications systems be identified and
  managed?
• How should information security policy for
  telecommunications systems be identified and
  managed?
• How should specific management issues for
  telecommunications organizations be identified?
• How should information security management system
  (ISMS) for telecommunications organizations be
  properly constructed by using the existing
  standards (ISO/IEC and ITU-T)?
• How should measurement of information security
  management in telecommunications be identified
  and managed?
• How should an information security governance
  framework be identified and managed?
• How should the small and medium
  telecommunications organizations be managed and
  applied for security?

52
SG 17 Q.7/17 highlights of achievements
Recommendations
No. Title
X.1051 Information security management guideline for telecommunications organizations based on ISO/IEC 27002
X.rmg Risk management and risk profile guide
X.sim Security incident management guidelines for telecommunications
X.ismf Information Security Management Framework for Telecommunications
Currently under development
53
SG 17 Q.7/17 actions for next study period

• Review the existing management Recommendations/Sta
  ndards in ITU-T and ISO/IEC management standards
  as for assets identification and security policy
  management.
• Study and develop a methodology of assets
  identification and policy management for
  telecommunications based on the concept of
  information security management (X.1051).
• Study and develop information security management
  framework for telecommunications based on the
  concept of information security management
  (X.1051).
• Study and develop security management guidelines
  for small and medium telecommunications based on
  the concept of information security management
  (X.1051).
• Study and develop a methodology to construct
  information security management system (ISMS) for
  telecommunications organizations based on the
  existing standards (ISO/IEC and ITU-T).
• Study and develop an information security
  governance framework for telecommunications that
  encompasses information technology and
  information security management.

54
SG 17 Q.7/17 collaboration with SDOs

• ISO/IEC JTC 1/SC27
• ETSI
• TTC
• NIST

55
SG 17 Q.8/17 Telebiometrics

• ITU-T SG 17 Question 8
• Telebiometrics
• Scope
• Strategic Direction
• Challenges
• Highlights of activities
• Actions for Next Study Period
• Collaboration with SDOs

56
SG 17 Q.8/17 scope
Digital key / Secure protocol / Authentication
infrastructure / System mechanism / Protection
procedure
Safety conformity
Storage
Biometric
Sensors
NW
Acquisition (capturing)
Matching
NW
NW
Extraction
Score
NW
NW
Application
Decision
Yes/No
NWNetwork
57
SG 17 Q.8/17 strategic direction
Security and Protection for telebiometric
application systems
Protection procedures
System mechanism among Client/Server/TTP
BioAPI interworking protocol
Authentication infrastructure Biometric Digital
key
Safety in interaction with sensors
58
SG 17 Q.8/17 challenges

• How should security countermeasures be assessed
  for particular applications of telebiometrics?
• How can identification and authentication of
  users be improved by the use of interoperable
  models for safe and secure telebiometric methods?
• What mechanisms need to be supported to ensure
  safe and secure manipulation of biometric data in
  any application of telebiometrics, e.g.,
  telemedicine or telehealth?
• How should the current Recommendations be further
  enhanced for their wide deployment and usage?

59
SG 17 Q.8/17 highlights of activities
Approved Recommendations
No. Title
X.1082 Telebiometrics related to human physiology
X.1083 BioAPI Interworking Protocol
X.1084 Telebiometrics system mechanism Part 1 General biometric authentication protocol and system model profiles on telecommunication systems
X.1088 Telebiometrics digital key A framework for biometric digital key generation and protection
X.1089 Telebiometrics authentication infrastructure
60
SG 17 Q.8/17 actions for next study period

• Enhance current Recommendations to accelerate
  their adoption to various telebiometric
  applications and populate the telebiometric
  database.
• Review the similarities and differences among the
  existing telebiometrics Recommendations in ITU-T
  and ISO/IEC standards.
• Study and develop security requirements and
  guidelines for any application of telebiometrics.
• Study and develop requirements for evaluating
  security, conformance and interoperability with
  privacy protection techniques for any application
  of telebiometrics.
• Study and develop requirements for telebiometric
  applications in a high functionality network.
• Study and develop requirements for telebiometric
  multi-factor authentication techniques based on
  biometric data protection and biometric
  encryption.
• Study and develop requirements for appropriate
  generic protocols providing safety, security,
  privacy protection, and consent for manipulating
  biometric data in any application of
  telebiometrics, e.g., telemedicine or telehealth.
• Prepare a manual on telebiometrics.

61
SG 17 Q.8/17 collaboration with other SDOs

• ISO/IEC JTC 1/SCs 17, 27 and 37
• ISO/TC 68 and TC 12
• IEC/TC 25
• IETF
• IEEE
• International Bureau of Weight and Measurement
  (BIPM)

62
SG 17 Q.9/17 Secure communication services

• ITU-T SG 17 Question 9
• Secure Communication Services
• Focus
• Position of each topic
• Strategic direction
• Challenges
• Major achievements
• Security work proposed for next study period

63
SG 17 Q.9/17 focus

• Develop a set of standards of secure application
  services, including
• Mobile security
• Home network security
• Web Services security
• Secure application services
• NID/USN security Under study
• Multicast security Under study
• IPTV security Under study

64
SG 17 Q.9/17 position of each topic
Mobile Network
Home Network
Home Gateway
Mobile Terminal
Home network security
Mobile security
Home Network
STB
IPTV security/Multicast security
Content Provider
Core Open Network
Ubiquitous Sensor Network
USN gateway
USN Application Server
USN security
NID security
NID tag
NID Application Server
NID reader
Secure application services /Web Services security
Application Server
Client
65
SG 17 Q.9/17 strategic direction

• For developing the draft Recommendations on IPTV
  security matters
• Participate the ITU-T IPTV-GSI event (January
  December, 2008) to develop them being consistent
  with relevant Recommendations being developed by
  other Questions
• Propose X.iptvsec-1 (Requirements and
  architecture for IPTV security matter) for
  consent by September 2008, to meet urgent market
  need
• Based on X.iptvsec-1, continue to study a set of
  possible draft Recommendations which complement
  X.iptvsec-1 technologically
• Continue to develop a set of draft
  Recommendations in domain-specific areas
• Mobile network, Home network, (mobile) Web
  Services, application services, NID/USN service,
  IPTV service multicasting service, etc.
• Continue to adopt or update the mature standards
  (i.e., SAML, XACML) developed by other SDOs,
  especially by OASIS, in the area of Web Services
  security
• Develop a common text of X.usnsec-1 (Security
  framework for USN) with ISO/IEC JTC 1/SC 6 (as of
  June 2008)
• Keep maintaining liaison activities with 3GPP,
  3GPP2, JTC 1/SC 6, 25, 27 to develop the relevant
  draft Recommendations

66
SG 17 Q.9/17 challenges

• For the domain-specific draft Recommendations, it
  needs to strengthen the coordination work with
  other relevant Questions/SDOs to develop them to
  be consistent with their work.
• During this Study period, Q.9/17 has been focused
  on the security framework for various
  domain-specific networks. However, from now on it
  should be emphasized to develop the pragmatic
  draft Recommendations which have significant
  impact on industry for the domain-specific
  networks with the collaboration with industries,
  other relevant SDOs and network/service
  providers.
• For developing the draft Recommendations on IPTV
  security matters, the various detailed work items
  should continue to be identified in the future.

67
SG 17 Q.9/17 major achievements

• Mobile security
• X.1123, General security value added service
  (policy) for mobile data communication,Approved
  2007
• X.1124, Authentication architecture in mobile
  end-to-end data communication,Approved 2007
• X.1125, Correlative reacting system in mobile
  network, Approved 2007
• NID security
• X.1171, Framework for Protection of Personally
  Identifiable Information in Networked ID
  Services, Consented 2008

• Home network security
• X.1111, Framework for security technologies for
  home network, Approved 2007
• X.1112, Certificate profile for the device in the
  home network, Approved 2007
• X.1113, Guideline on user authentication
  mechanisms for home network service,Approved
  2007
• X.homesec-4 Authorization framework for home
  network,to be consented 2008
• USN security
• X.usnsec-1 Requirement and Framework for
  Ubiquitous Sensor Network,New work item in 2007

68
SG 17 Q.9/17 major achievements (2)

• Multicast Security
• X.mcsec-,1 Security Requirement and Framework in
  Multicast communication,New work item in 2007
• IPTV security
• X.iptvsec-1, Functional Requirements and
  architecture for IPTV security aspects,New work
  item in 2008
• X.iptvsec-2, Requirement and mechanism for Secure
  Transcodable SchemeNew work item in 2008
• X.iptvsec-3, Key management framework for secure
  IPTV communications,New work item in 2008

• Web Services security
• X.1143, Security architecture for message
  security in mobile Web Services,Approved 2007
• Secure applications services
• X.1151, Guideline on strong password
  authentication protocols, Approved 2007
• X.1152, Secure end-to-end data communication
  techniques using Trusted Third Party services,
  Consented 2008
• X.1161, Framework for secure peer-to-peer
  communications,Consented 2008
• X.1162, Security architecture and operations for
  peer-to-peer network, Consented 2008

69
SG 17 Q.9/17 work for next study period

• Divide Q.9/17 into two Questions Q.O/17 and
  Q.P/17, considering the enormous workloads.

Q.9/17 for current Study Period
Q.O/17 for Next Study Period

• Mobile Security
• Home network security
• NID/USN security
• Multicast security
• IPTV security, etc.

Secure Communication Service
Security aspects for ubiquitous
telecommunication service

• Mobile Security
• Home network security
• NID/USN security
• Multicast security
• IPTV security

Q.P/17 for Next Study Period

• Web Service security
• Secure application security

• Web Service security
• Secure application service, etc.

Secure application services
70
SG 17 Q.17/17 Countering spam by technical
means

• ITU-T SG 17 Question 17
• Countering spam by technical means
• Scope
• Strategic direction
• Challenges
• Highlights of activities
• Actions for next study period
• Collaboration with SDOs

71
SG 17 Q.17/17 scope

• Develop a set of standards for countering spam by
  technical means, including
• General technical strategies and protocols for
  countering spam
• Guidelines, frameworks and protocols for
  countering email spam, IP multimedia spam, SMS
  spam and other new types of spam

72
SG 17 Q.17/17 strategic direction
73
SG 17 Q.17/17 challenges

• What risks does spam pose to the
  telecommunication network?
• What technical factors associated with the
  telecommunication network contribute to the
  difficulty of identifying the sources of spam?
• How can new technologies lead to opportunities to
  counter spam and enhance the security of the
  telecommunication network?
• Do advanced telecommunication network
  technologies (for example, SMS, instant
  messaging, VoIP) offer unique opportunities for
  spam that require unique solutions?
• What technical work is already being undertaken
  within the IETF, in other fora, and by private
  sector entities to address the problem of spam?
• What telecommunication network standardization
  work, if any, is needed to effectively counter
  spam as it relates to the stability and
  robustness of the telecommunication network?

74
SG 17 Q.17/17 highlights of activities

Approved Recommendations
No. Title
X.1231 Technical Strategies on Countering Spam
X.1240 Technologies involved in countering email spam
X.1241 Technical framework for countering email spam
X.1244 Overall aspects of IP multimedia application spam
Currently in approval process
75
SG 17 Q.17/17 actions for next study period

• Act as the lead group in ITU-T on technical means
  for countering spam
• Establish effective cooperation with the relevant
  ITU Study Groups, other standard bodies and
  appropriate consortia and fora.
• Identify and examine the telecommunication
  network security risks introduced by the
  constantly changing nature of spam.
• Develop a comprehensive and up-to-date resource
  list of the existing technical measures for
  countering spam in a telecommunication network
  that are in use or under development.
• Determine whether new Recommendations or
  enhancements to existing Recommendations,
  including methods to combat delivery of spyware,
  worm, phishing, and other malicious contents via
  spam and combat compromised networked equipment
  including botnet delivering spam.
• Provide regular updates to the Telecommunication
  Standardization Advisory Group and to the
  Director of the Telecommunication Standardization
  Bureau to include in the annual report to Council.

76
SG 17 Q.17/17 collaboration with SDOs

• Standardization bodies
• IETF
• ISO/IEC JTC 1
• Other bodies
• OECD
• MAAWG.

77
SG 17 Q.2/17 - X.500 security aspects

• ITU-T SG 17 Question 2
• Directory Services, Directory Systems and
  Public-key/Attribute Certificates
• X.509 as basis for other specifications
• Certificates
• Public-Key Infrastructure (PKI)
• Privilege Management Infrastructure (PMI)
• Protecting directory information
• User authentication
• Access control
• Data privacy protection

78
SG 17 Q.2/17 - X.509 applicability
The X.509 specification is the base for many
other specifications

• Secure Socket Layer (SSL)
• The IETF Internet X.509 Public Key Infrastructure
  (PKIX) activity
• The IETF Secure / Multipurpose Internet Mail
  Extensions (S/MIME) activity
• The ETSI Electronic Signatures and
  Infrastructures (ESI) activity
• Etc.

79
SG 17 Q.2/17 - X.509 applicability (2)
The X.509 specification is the base for

• Secure e-mail
• Online banking
• Medical electronic journals
• Online public service
• Etc.

In short The whole electronic world
80
SG 17 Q.2/17 - Public-Key Infrastructure (PKI)

• PKI is an infrastructure for managing
  certificates. It consists of one or more
  Certification Authorities for issuing
  certificates in a secure way following a set of
  policies.
• It includes maintaining information about
  certificates been revoked.
• Directories are major components of the
  infrastructure.

81
SG 17 Q.2/17 - Privilege Management
Infrastructure (PMI)

• PMI is an infrastructure for managing
  authorization using attribute certificates. It
  consists of one or more Attribute Authorities for
  issuing attribute certificates in a secure way.
• It includes maintaining information about
  attribute certificates been revoked.
• Directories are major components of the
  infrastructure.
• Recent development - (PMI) has been extended to
  allow privileges obtained in one domain to be
  used in an other domain (federation of
  privileges).

82
SG 17 Q.2/17 - Protecting Directory Information

• Authentication of users
• None
• Name
• Name password
• Name protected password
• Strong authentication based on X.509

83
SG 17 Q.2/17 - Protecting Directory Information

• Access control
• Access control is about right-to-know (Who may do
  what based on level of authentication)
• X.500 has comprehensive access control features
• X.500 is the only directory specification having
  these features

84
SG 17 Q.2/17 - Protecting Directory Information

• Data Privacy Protection
• Data Privacy Protection is about right-to-know
  and need-to-know.
• Protection against malicious searches
• Protection against data trawling
• Minority protection

85
SG 17 Q.2/17 - New security extension work
Password policy, that is rules for administration
of password to increase directory security

• Password lifetime
• Maintain password history (avoid reuse)
• Password quality
• Password warnings
• Error signalling
• Etc.

Part of next X.500 edition (2011-2012)
86
ITU-T SG 2

• ITU-T Study Group 2
• Operational aspects of service provision,
  networks and performance

87
SG 2 Scope of security study

• Operational aspects such as prevention and
  detection of
• Fraud
• Misuse
• Corresponding operational measures
• Security requirements

88
SG 2 Accomplishment

• Recommendations
• E.156 Guidelines for ITU-T action on reported
  misuse of E.164 number resources  
• E.408 Telecommunication networks security
  requirements
• E.409 Incident organization and security incident
  handling Guidelines for telecommunication
  organizations
• Numerous Recommendations on operational aspects
  of network management
•    

89
ITU-T SG 4

• ITU-T Study Group 4
• Telecommunication management

90
SG 4 Scope of security study

• Security of management plane
• Management of security for telecommunications
  management
• Protocols of securities for management

91
SG 4 Strategic direction

• Establishment of interface Recommendations among
  security function groups or entities for
  management of security (Enhancement of M.3410)
• Study on use of IdM in management plan
• Study on the management of IdM
• Continuation of protocol profiling for security
  management

92
SG 4 Challenges

• Fill the gap in security on management plane and
  management of its security
• Collaboration with ATIS TMOC and ETSI TISPAN on
  the subject

93
SG 4 Accomplishment

• Consent of Recommendation M.3410
• Guidelines and Requirements for Security
  Management Systems to Support Telecommunications
  Management

94
SG 4 Next steps

• Enhancement of M.3016 series Recommendations for
  security of management plane
• Enhancement of M.3410 Recommendation for
  management of security for telecommunications
  management
• Enhancement of Q.811 and Q.812, management
  protocol profiles from security subject
  perspective

95
SG 4 Questions

• What security mechanisms and protocols are
  required to support security of management for
  NGNs?
• What management mechanisms and protocols are
  required to support management of security for
  NGNs?
• What use of Service-Oriented Architecture
  concepts should be applied in specifying protocol
  and security Recommendations?
• What collaboration inside and outside the ITU-T
  is needed to develop protocol and security
  functions?

96
ITU-T SG 5

• ITU-T Study Group 5
• Protection against electromagnetic environment
  effects

97
SG 5 Scope

• To provide guidance on the protection of
  Telecommunications and Data Centres against
  disruption of service and/or physical damage due
  to
• Natural EM phenomena
• Lightning, Electrostatic Discharge (ESD)
• Interactions with the RF Spectrum
• Electromagnetic Compatibility (EMC)
• Man-Made/Malicious Electromagnetic threats
• High-altitude EM Pulse (HEMP)
• High-Power EM weapons (HPEM)
• To provide guidance on the protection of
  electronic data from interception via EM means

98
SG 5 Strategic direction

• Do not reinvent the wheel
• Reference existing K-Series Recommendations
  wherever possible
• Lightning, ESD, EMC
• Develop effective liaisons with other
  International Standardization Organizations to
  exploit additional expertise
• Liaison with IEC TC 77 Electromagnetic
  Compatibility (EMC) SC 77C High Power
  Transient Phenomena provided expertise in HEMP
  and HPEM
• Liaison with National Institute of Information
  and Communications Technology (NICT) of Japan
  provided expertise on EM interception of data
• Apply existing expertise to the
  telecommunications and data centre domain

99
SG 5 Challenges

• Knowledge management
• Liaisons with other bodies has granted access to
  rich veins of existing expertise
• This has taken time to assimilate and present
  within the context of a telecommunications and
  data centre
• EM intercept
• Previously officially secret in some regions
  (i.e. previously known as TEMPEST within the US)

100
SG 5 Recent accomplishments

• A document set is planned
• K.sec basic introduction that references the
  following
• K.hemp
• K.hpem
• K.leakage
• K.sec_miti
• Existing K-series Recommendations on lightning
• Existing K-series Recommendations on EMC
• Steady progress has been made on developing the
  document set

101
SG 5 Next steps/actions
Development of document set continues with the
following timing
Document Title of the Recommendation Timing
K.sec Guide for the application of electromagnetic security requirements - Basic Recommendation 2011
K.hemp Application of requirements against HEMP to telecommunication systems 2008
K.hpem Application of requirements against HPEM to telecommunication systems 2008
K.leakage Test method and requirements against information leak through unintentional EM emission 2009
K.secmiti Mitigation methods against EM security threats 2011
102
ITU-T SG 9

• ITU-T Study Group 9
• Integrated broadband cable networks and
  television and sound transmission

103
SG 9 Scope of security work

• Security requirements are spread across multiple
  questions
• Improve the security of conditional access
  systems used for television subscription,
  pay-per-view and similar services distributed to
  the home by cable television (Q3)
• Security, conditional access, protection against
  unauthorized copying, protection against
  unauthorized redistribution requirements to be
  supported by an universal integrated receiver or
  set-top box for the reception of cable television
  and other services (Q5)
• Security requirements and protocols associated
  with high-speed bidirectional data facilities
  intended to support, among other payloads, those
  utilizing Internet Protocols (IP) exploiting the
  broadband capacity provided by hybrid
  fiber/Coaxial (HFC) digital cable television
  systems (Q8)
• Security requirements and protocols for Voice
  over IP/Video over IP applications in IP-based
  cable television networks (Q9) 
• Extend the security requirements for
  entertainment video delivery associated with
  cable network video service onto the home network
  (Q10)
• Provide all the security requirements for the
  network elements and services offered by cable
  operators

104
SG 9 Strategic direction for security for Cable
Networks
Network Elements
Home Networking Devices and Applications
- Link privacy for cable modem implementations
J.125 - Third generation Transmission systems
security services J.222.3 - IP Cablecom security
specification J.170 - IP Cablecom 2 architecture
including securityJ.360 - Security features based
on 3G mobile telecom system as modified for Cable
J.366.7 - IMS network domain security
specification J.366.8 - Generic authentication
architecture specification J.366.9
- A Residential Gateway to support delivery of
cable data services J.192 - Requirements for next
generation set-top boxes J.193 - High level
requirements for DRM Bridge for Cable access
Network to home network J.197 - Next generation
set-top box architecture J.290 - IPTV
requirements for secondary distribution J.700
105
SG 9 Challenges for cable networks security

• Authentication, privacy, access control and
  content protection both on the access network and
  the bridge to home network are key considerations
  for multi-media applications/services
• Security requirements for network elements in the
  access networks determine how the applications
  (voice, video and data) are transmitted se